Windows Registry Forensics Information that can be recovered include: System Configuration Devices on the System User Names Personal Settings and Browser Preferences Web Browsing Activity Files Opened Programs Executed Passwords Registry Forensics Registry Analysis: Perform a GUI-based live-system analysis. Easiest, but most likely to incur changes. Use regedit. Perform a command-line live-system analysis Less risky Use “reg” command. Remote live system analysis regedit allows access to a remote registry Superscan from Foundstone Offline analysis on registry files. Encase, FTK (Access data) have specialized tools regedit on registry dump. Physically, the Registry isn’t simply one large file but rather a set of discrete files called hives
Transcript
Windows Registry Forensics
Information that can be recovered include: System Configuration Devices on the System User Names Personal Settings and Browser Preferences Web Browsing Activity Files Opened Programs Executed Passwords
Registry ForensicsRegistry Analysis:Perform a GUI-based live-system analysis.
Easiest, but most likely to incur changes.Use regedit.
Perform a command-line live-system analysisLess riskyUse “reg” command.
Remote live system analysisregedit allows access to a remote registrySuperscan from Foundstone
Offline analysis on registry files.Encase, FTK (Access data) have specialized toolsregedit on registry dump.
Physically, the Registry isn’t simply one large file but rather a set of discrete files called hives
The five folder-like structures at the top of the hierarchy are called hives and begin with designation “HKEY” (an abbreviation for Handle to a Key).
There are 5 hives, but actually in real Two only HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM).
Other 3 hives are shortcuts or aliases to branches within one of the actual two hives.
All hives has – keys, containing values and sub keys
Name Abbreviation
HKEY_CLASSES_ROOT HKCR
HKEY_CURRENT_USER HKCU
HKEY_LOCAL_MACHINE HKLM
HKEY_USERS HKU
HKEY_CURRENT_CONFIG HKCC
HKEY_CLASSES_ROOT (HKCR)Maintains the information to ensure that the program opens when it is executed in Windows Explorer.
i.e which program opens .txt,.bmp file etc
Also it contains additional details on shortcuts, drag-and-drop rules and information on the user interface, alias for HKLM\Software\Classes
HKEY_CURRENT_USER (HKCU)Contains the configuration information for the current user. Information like folders, screen colors, and Control Panel settings.
The alias for a user specific branch in HKEY_USERS. Generic information usually applies to all users and is found in HKU\.DEFAULT.
HKEY_LOCAL_MACHINE (HKLM)
hardware-specific information that the operating system runs on.
Also contains a list of mounted drives and generic configurations of installed hardware and applications
HKEY_USERS (HKU)All user profiles on the systems, including application configurations, and visual settings.
HKEY_CURRENT_CONFIG (HKCC)This hive stores information about the systems current configuration. Alias for: HKLM\Config\profile.
VALUESEach key has one or more values. There are 3 parts in value, which are Name, Type and Data
Value Parts Description
Name Every value has a unique name in that particular key.
Type
Value’s type determines the type of data value contains. The common value types in registry for instance are: REG_BINARY type contains binary data; REG_DWORD type contains double-word (32-bit) data; REG_SZ type contains fix-length string data.
Data Value’s data contains data which usually relates to the value’s type.
HKLM and HKU are the only root keys that Windows physically stores on files. HKCU is a symbolic link to sub key in HKU. HKCR and HKCC are symbolic links to sub keys in HKLM.
The main, core system Registry hive files (specifically, SAM, Security, Software, Default &System) can be found in the Windows\system32\config directory
In addition there are some hives that don’t have associated files due to their volatility. The system creates and manages these hives entirely in memory. These hives are consequently temporary in nature and are created at every system boot. Some examples of volatile hive are:HKEY_LOCAL_MACHINE \HARDWAREHKEY_LOCAL_MACHINE \SYSTEM \Clone
WINDOWS REGISTRY SLACK SPACEData that have been deleted and left behind in Registry hive files that are not part of the active hive file itself.
Forensically interested locations in Registry
Auto run locations that list applications to automatically run when the computer is booted
Lists of the most recently used files or applicationsURL’s accessed from a systemAll USB storage devices that have been attached to the computerInternet Search Assistant Printers, Computers and People Remote Desktop – Connections MSPaint – Recent Files Mapped Network Drives -Windows Explorer searchesWordPad – Recent Files Excel – Recent FilesInternet Explorer stores its data in the HKEY_CURRENT_USER\Software\
Microsoft\Internet Explorer key.
There are three sub keys within the Internet Explorer key that are important for forensic analyst.
The first is HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. - User’s settings for Internet Explorer are stored in this key, and contains information such as search bars, form settings, start pages, etc.
The second and most informative important sub keys is HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. Users might have visited unwanted keys and would have deleted that URL's from this list.
The third sub key that may interest a forensic analyst is HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download.
Shows last directory used to store a downloaded file from Internet Explorer, giving to the location of where the user stores their files.
Online live analysis of registryOffline analysis of registry
Tools covered
Live Analysis (Free / Open Source)Microsoft PowerShell ScriptingAutoruns SysInternals Tools
Offline Analysis (Free / Open Source)Registry Decoder
Windows PowerShell
Microsoft’s task automation framework, consisting of a command-line shell and associated scripting language
Built on .NET Framework.
Provides full access to COM and WMI
Administrators to perform administrative tasks on both local and remote Windows systems.
e.g: After starting PowerShell enter the command string shown below:
Shows the various location where various program is configured to run automatically
using pssec.exe autoruns can be run remotely.
It is possible to access the Windows Registry of a remote system using regedit.exe or reg.exe. But only the HKEY_LOCAL_MACHINE and HKEY_LOCAL_USERS keys are directly accessible
Registry DecoderIts purpose is to help automate the acquisition, analysis and reporting of the contents of the Windows Registry. Registry Decoder consists of two components: A live data acquisition tool (Registry Decoder Live); and an offline analysis tool (Registry Decoder).
Do the registry acquisition first and then This directory can then be imported into the offline analysis tool.
Once that data is imported, Registry Decoder can perform an offline analysis of Windows Registry. To begin the offline analysis a new case will need to be initiated using the offline tool. To initiate a new case, just run Registry Decoder and click “Next” on the first form. This will then bring you to the case information form.
examination of the MRU lists along with the exam of the Windows Registry detect which files were written to in removable devices.
6. Determine the drive Letter were the Device was Mapped
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices - Perform Search for
Parent Prefix ID
Determine Drive Letter where the device was mapped to, on the basis of Serial Number obtained from step 4
7. Identify the Volume GUIDsSYSTEM\MountedDevices- Perform Search for Parent Prefix ID
Identify the Volume GUIDS on the basis of Serial number.
On Right Hand Side, Click on each Name entry to search for the Parent Id Prefix GUIDs for each device are listedas “\??\Volume{xxxxxxxx-xxxx-xxxxxxxxxxxxxxxxxxxx}.”
8. Find out the user that used the specific USB DeviceHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\MountPoints2- Search for Device GUID
Find the User Profile that used the specific USB device on the basis of device GUID.
9. Determine the last time device was connected.SYSTEM\CurrentControlSet\Control\DeviceClasses \{53f56307-b6bf-11d0-94f2-00a0c91efb8b}- Perform search for Serial Number
Determine the last time device was connected on the basis of serial number. Case-1:HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\
Explorer\MountPoints2 {GUIDS}
Case-2: It might happen that data is not obtained from case-1, in that case you can go with case-2.
10. Identify the first time device was ConnectedWhenever a flash drive is connected for the first time in the system, all its event is recorded in the file (setupai.dev.log). Search on the basis of device serial number
C:\Windows\inf\setupapi.dev.log
Discover the first time, the device was connected. For this, the setupapi.dev.log file is investigated. When ever a flash drive is connected for the first time in the system, all its event is recorded in this file. Search on the basis of Device serial number C:\Windows\inf\setupapi.dev.log
Determine first time device connected after last reboot on the basis of serial number. Right Click here and export to text file and search for last write time.
From the above section it can be concluded that the data has been copied into the USB device as the MAC time of the file suspected (xxx.xxx) of being copied is checked and compared to the time obtained through the registry analysis, time otained. It was observed from the Modified, Accessed & Created times of the file in the system that, access times of xxxx.xxx is changed and is within the vicinity of the last write time of the device. Hence, it may be concluded that the USB device was connected at that particular time and now the device is in question. The things analyzed so far signifies that file has been copied to the USB disk
Determining a whether a important file is being copied to a USB Device – in Windows XP
1. setupapi.log: Since almost all devices now-a-days, are of the type “plug-and-play”, containing their associated driver files written on the device firmware, the system can install them directly, ruling out need for a separate installation disk. Whenever such Plug-and-Play USB device is
connected to a system, Plug-and-Play (PnP) manager receives this event and queries the device description in its firmware, such as manufacturer, serial no, etc. Upon receiving the information, the PnP manager locates device drivers and a set of Registry keys are created, as described below. Above events are recorded in setupapi.log file present in %Windowsdir% (C:\Windows\setupappi.log) when the device gets connected to the system for the first time
%Windowsdir%/inf/SetupAPI.dev.log in windows 7
2. Registry Keys created: After the device is identified, a set of registry keys gets created as follows:
i. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\USBSTOR\<device_class>\<device_unique_id>\
ii. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\DeviceClasses\{<disk_devices_GUID>}\
iii. <device_class#device_unique_id#{disk_devicesGUID}>\
iv. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\DeviceClasses\{<volume_devices_GUID>}\
v. <STORAGE_RemovableMedia#ParentId_Prefix#{volume_devices_GUID}>\
vi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\Storage\RemovableMedia\<ParentID_Prefix>\
These keys contain details about the device id, driver description, manufacturer, friendly name, parented prefix, etc. When we connect the same USB to the system again, a sub-key named control is created under the above keys. As a result the time-stamp of these keys reflect the last time the USB was connected to the system
3. Drive letter to which the device gets mounted: USB device when connected to the system gets assigned to a drive letter (G, H, etc.), which can be identified through the following key:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
This key contains a value starting with \??\Volume\ that contains binary data having ParentId_Prefix in the form<STORAGE_RemovableMedia#ParentId_Prefix# {volume_devices_GUID}>.
This data is also present in the value
\DosDevices\<drive_letter>,
if this USB device was the last device mapped to that drive letter
4. Finding the user profile through which USB device was connected: The value present in the key
\MountedDevices starting with \??\Volume\{…}
occurs only once more in the ntuser.dat hive of the user profile in which the USB device was connected. Using this value, we can find out the user profile through which the USB device was connected.
5. Time the drive was last connected to the system: The first time USB device was connected to a system is found from the setupapi.log file and the corresponding registry entries. To associate this time with the actual time, the Registry key
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones, present in the Software hive is checked.
6. To track if file opened or copied through explorer: If any file is opened through the explorer by double click on the file name, an entry is created in the Registry key:
These entries are present in the ntuser.dat registry hive of the user profile identified in 4) above
Refer : section RecentDocs
7. File copy to USB through other modes: Analysis of the file MAC times: If file is transferred to USB using the copy, cut or send-to context menu option, no registry entry gets created; and one has to examine both the system and USB device file system to track the file copy.
Whenever a file is accessed (i.e., copy, move, open or edit), their MAC (modified, accessed, created) times gets updated. However if the Registry value NtfsDisableLastAccessUpdate present in the System hive under the
key ControlSet00x\Control\FileSystem\ is enabled, then MAC times are not updated. By default this value is not present in Windows XP systems. The MAC times of the files suspected of being copied is checked
8. Analysis of the USB device: Once we have identified the user profile through which the USB device was connected, and it is established that files have been copied to the USB, case can be established against that person, and his USB device is confiscated for analysis. If the copied files are present in the USB device then, their md5 hash values are compared to the values of original files. And if files are not present, then unallocated space is analyzed and files are recovered, if not overwritten till now.
Analysis step-by-step
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName – to get the computer name
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS - BIOS information and product information. The BIOS information includes the BIOS release date and BIOS version. Information about the BIOS includes the product name of the system and its manufacturer’s name
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - information about the processors of the system, information includes the processor name, its speed and vendor identifier
There are a number of elements of information about the user account that are stored in the Registry. For example a list of user accounts, last login time of each account, whether it requires a password, whether it is a disabled or enabled account and the method used to hash the password of the user account. All of this information is held in the following Registry key
SAM is not accessible through the normal Registry view on a live system. After exporting the Registry, it can be accessed using a tool such as Registry Viewer. Information such as the user name, logon count, last logon time, last password change, last failed logon, and so on are stored in the user account(s).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows – to get the last shutdown time
A suspicious employee left your company on January 28, 2014. You'd like to know which files were most recently used (opened, saved) on the employee's system right before he/she left.
Pull the user's NTUSER.DAT. Run RegRipper to easily output the the values within the
